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1 . A method for provision of access for a data requesting entity (IRE) to 
data related to a principal, comprising the following steps- 
creating an access granting ticket comprising 
Wan access speaficatiori specifying a permission for an 
access to data related to the principal, said data being 
available at a data providing entity (IPE1), 
(b) a principal identifier representing the principal towards the 
data providing entity (IPE1), 
encrypting the access granting ticket with an encryption key of 
the data providing entity (IPE1 ), 
communicating to the data requesting entity (IRE) the 
encrypted access granting ticket accompanied by an identifier 
of the data providing entity (IPEI)^ 

communicating from the data requesting entity (IRE) to the 
data providing entity (IPE1) a request comprising the encrypted 
access granting ticket, 

decrypting the encrypted access granting ticket with a 

decryption key of the data providing entity (IPE1) 

corresponding to the encryption key, 

providing to the data requesting entity (IRE) access to data 

related to the principal identifier according to the access 

specification. 

2. The method according to claim 1 . wherein the encrypted access granting 
ticket comprises or is accompanied by verification information and 
access Is provided based on an analysis of the verification information. 

3. The method according to claim 1 or 2. wherein the request to the data 
providing entity (IPE1) comprises a specification for requested data 
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related tolhe principal and access irprovigeeraccora ing to a mat ctTingof 
the access specification and the requested data. 

4. The method according to any of the preceding claims, wherein the 
-access-grantFg-tiekeHs'ereated^^ 

leasf tw51teiiia ol a group comprislnrfRelclenfifier of the-cl ata prOvidirtg 
entity (IPE1), the data related to the principal available at the data 
providing entity (IPE1). the principal identifier, the encryption key. and the 
access specification. 

5. The method according to any of the preceding claims, wherein an 
indication for tiie access spedficatiori is entered into a principal entity 
(UE) to create the access granting ticket. 



6. The method according to any of the preceding claims, wherein the 
access granting ticket further comprises security information and access 
Is provided based on an analysis of the security Information. 

7. The method according to any of the preceding claims, wherein the 
encrypted access granting ticket is accompanied by public Infonnation. 

8. The method according to daim 7, wherein the request to the data 
providing entity (IPE1) is communicated based on an analysis of tiie 
public information. 

9. The method according to claim 7 or 8, wherein the decryption is based 
on an analysis of the public information. 

10. The method according to any of the preceding claims, wherein the data 
to which access is provided to is transferred to the data requesting entity 
(IRE). 
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1 1 .The method according to any of the preceding claims, wherein at least 
one further encrypted: access- granting ticket for further data related to the 
principal available at at least one further data providing entity (IPE2) Is 
-ereated-and-communleated-tO'the-derta-requesting-entity (I RE)-for 
provision of access totne runner principal related dalaavailable at the at 
least one further data providing entity (IPE2), the at least one further 
encrypted access granting ticket being accompanied by at least one 
further Identifier of the at least one further data providing entity (IPE2). 

12. A principal entity (UE) for provision of access for a data requesting entity 
(IRE) to data relatedjo a principal, corriprising a transmission unit for 
sending of messages and information and a processing unit for 
processing of messages and information, wherein the processing unit Is 
adapted to create an access granting ticket comprising an access 
specification specifying a permission for an access to data related to the 
principal, said data being available at a data providing entity (IPE1), and 
a principal identifier representing the principal towards the data providing 
entity (IPE1), to encrypt the access granting ticket with an encryption key 
of the data providing entity (IPE1), and to obtain an Identifier of the data 
providing entity (IPE1), and the transmission unit is adapted to send the 
encrypted access granting ticket accompanied by the Identifier of the 
data providing entity (IPE1) to the data requesting entity (IRE). 

13. The principal entity (UE) according to claim 12, wherein the processing 
unit is adapted to include verification information into the access granting 
ticket and/or to attach verification Information to the encrypted access 
granting ticket and the transmission unit is adapted to send the encrypted 
access granting ticket accompanied by the attached verification 
information to the data requesting entity (IRE). 



wo 2004/088947 



36 



PCT/EP2003/003539 



VTThe principal entity (O E) according to claim 12 or13. wherein the 
-processing unit is adapted to access a data storage correlating at least 
two items of a groap comphslng ef the identifier of the datSprovidlng- 
_entity (IPE1). the data related to the principal available at the data 
-providi^^ 

access specification, and to creat e t he access granting ticket b ased on 
the data storage. 

15. The principal entity (UE) according to any of the claims 12 to 14. wherein 
the processing unit is adapted to create the access granting ticket based 
on an indication for the access specification entered into an input unit of 
the principal entity (UE), 

16. The principal entity (UE) according to any of the claims 12 to 15. wherein 
the processing unit is adapted to include security information into the 
access granting ticket. 

17. The principal entity (UE) according to any of the claims 12 to 16. wherein 
the processing unit is adapted to obtain public information and the 
transmission unit is adapted to send the encrypted access granting ticket 
accompanied by the public information to the data requesting entity 
(IRE). 

18. The principal entity (UE) according to any of the claims 12 to 17. wherein 
the processing unit is adapted to create at least one further encrypted 
access granting ticket for further data related to the principal available at 
at least one further data providing entity (IPE2) and the transmission unit 
is adapted to send the further encrypted access granting ticket to the 
data requesting entity (IRE) accompanied by at least one further identifier 
of the at least one further data providing entity (IPE2) for provision of 
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accessTolRetur^ R^^^eipallBfmeaTima^^^ 
further data providing entity (I PE2). 

1 9. A data requesting entity (IRE) comprising a receiving unit for receiving 
■n^ssages-andHnformatien^^nsmisslen-^^^^^ 
and-infe-mtetlprr: ^^^Tsroeggglngti^^ 
information, the receiving unit is adapted to receive a first encrypted 
access granting ticket for provision of access to first data related to a 
pnncipal. said first data being available at a first data providing entity 
(IPE1). the first encrypted access granting ticket being accompanied by 
an Identifier of the first data providing entity (IPE1) and to receive a 

encorpted access granting ti_cket_for provision of access to further 

data related to the principal, said further data being available at a further 

data providing entity (IPE2). the further encrypted access granting tteket 
being accompanied by a further identifier of the further data providing 
entity (IPE2). the processing unit is adapted to generate a first request • 
comprising the first encrypted access granting ticket and a further 
request comprising the further fenciypted access granting ticket and the 
transmission unit Is adapted to send the first request to the first data 
providing entity (IPE1) and the further request to the further data 
providing entity (IPE2). and the receiving unit Is adapted to receive a first 
indication for access provision to the first data from the first data 
providing entity (IPE1) and a further Indication for access provision to the 
further data from the further data providing entity (IPE2). 

20.The data requesting entity (IRE) according to claim 19. wherein at least 
one of the first encrypted access granting ticket and the further encrypted 
access granting ticket Is accompanied by public information and the 
processing unit is adapted to analyze the public information before the 
generation of at least one of the first request and the further request 
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21.The o«« raquestmg-entity (IR^-accoraingt^^ 

first mdication-comprises the first data related to the-principal and the 
further indication comprises the further data related t^the principal. 

-22^ta^providing-^ity-(^^^^^^ 

pr.nclpaI7fRe-data Prbvlcfingent^ 

receiving messages and information, a transmission unit for sending of 
messages and information, and a processing unit for processing of 
messages and Information, wherein the receiving unit is adapted to 
receive a request from a data requesting entity (IRE), the request 
comprising an access granting ticket encrypted with an encryption Icey of 
Mta providing entity (IPE1X. the access.grantingLt^^^^^ comprising an 
access specification specifying a permission for an access to data related 
to the.principal. said data being available at the data providing entity 
(IPE1). and a principal identifier representing the principal towards the 
data providing entity (IPE1),the processing unit Is adapted to decrypt the 
encrypted access granting ticket with a decryption key of the data 
providing entity (IPEl) corresponding to the encryption key and to 
prov.de to the data requesting entity (IRE) access to data related to the 
pnncipal Identifier according to the access specification. 

23. The data providing entity (IPE1) according to claim 22. wherein the 
encrypted access granting ticket comprises or is accompanied by 
verification information and the processing unit Is adapted to provide 
access based on an analysis of the verification information. 

24. The data providing entity (IPEl) according to claim 22 or 23. wherein the 
request comprises a specification for requested data related to the 
principal and the processing unit is adapted to provide access according 
to a matching of the access specification and the requested data 
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II.. data proviamg entity (iPETTaec brd.ng to any of th e claims 22 to 24 " 
whereln the-access granting ticket further comprises security information 
and the processing unit is adapted tb pfcJvid6--adc6ss bas@cl. on art . . 
analysis of the security information. 

:2^fTeWprQvid.ogen^ ^„y t he-cla.ms^2-to 25 - 

wherein the encrypted access granting ticket is accompanied by public ' 
information and the processing unit is adapted to Initiate the decryption 
based on an analysis of the public Information. 

-27.The data providing entity (IPE1) according to any of the claims 22 to 26 
..wherMn_.the transmission unit Is adaptedtpsendjhe data, to which 
access is provided to. to the data requesting entity (IRE). 

28. A computer program loadable Into the processing unit of a principal 
entity, wherein the computer program comprises code adapted to create 
an access granting ticket comprising an access specification specifying a 
permission for an access td data related to the principal, said data being 
available at a data providing entity (IPEI). and a principal Identifier 
representing a principal towards the data providing entity (IPE1), to 
encrypt the access granting ticket with an encryption key of the data 
providing entity (IPEI). to obtain an Identifier of a data providing entity 
(IPE1). and to Initiate a sending of the encrypted access granting ticket 
accompanied by the identifier of the data providing entity (IPEI) to the 
data requesting entity (IRE). 

29. A computer program loadable Into the processing unit of a data 

requesting entity (IRE), wherein the computer program comprises code 
adapted to process a first encrypted access granting ticket for provision 
of access to first data related to a principal, said first data being available 
at a first data providing entity (IPE1). the first encrypted access granting 
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licKeT Deing-accompaniea'by an identitier onRelfrs f data providing e fmr 

(IPE1;) and^to process a furtiier encrypted access granting ticket for 

provision otaccess to furtiier data relateidWh-epTin-dpal, saidfurther .. 
data being available at a further data providing entity (IPE2), the further 

-enerypted-aeeess-granting-tleketbeing-accompaniedHay-a-further 
Identifier oldhB-tarther data providing entity (IPE2 ). to generate-yfi igf 
request comprising the first encrypted access granting ticket and a 
further request comprising the further encrypted access granting ticket 
and to initiate a sending of the first request to the first data providing 
entity (IPE1) and of the further request to the further data providing entity 
(IPE2). and to process a first indication for access provision to the first 
data from the first data providing entity OPEIJ^ alurther indication for 
access provision to the further data from the further data providing entity 
(IPE2). 



». A computer program loadable Into the processing unit of a data providing 
entity (IPE1). wherein the computer program comprises code adapted to 
process a request from a data requesting entity (IRE), the request 
comprising an access granting ticket encrypted with an encryption key of 
the data providing entity (IPE1), the access granting ticket comprising an 
access specification specifying a permission for an access to data related 
to a principal, said data being available at the data providing entity 
(IPE1), and a principal identifier representing the principal towards the 
data providing entity (IPE1), to decrypt the encrypted access granting 
ticket with a decryption key of the data providing entity (IPE1) 
corresponding to the encryption key and to provide to the data requesting 
entity (IRE) access to data related to the principal identifier according to 
the access specification. 
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■SWIle ooiiipuler pioyram according to any ot the claims 28 to SlTwRerein- 
the computer program comprises code adapted to perform-any oHhe 
steps of a method, according to any of the ciairas rtol I: 
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